Welcome to Planet openSUSE

This is a feed aggregator that collects what openSUSE contributors are writing in their respective blogs.

To have your blog added to this aggregator, please read the instructions.

24 August, 2016


Plasma 5.8 will be our first long-term supported release in the Plasma 5 series. We want to make this a release as polished and stable as possible. One area we weren’t quite happy with was our multi-screen user experience. While it works quite well for most of our users, there were a number of problems which made our multi-screen support sub-par.
Let’s take a step back to define what we’re talking about.

Multi-screen support means that connecting more than one screen to your computer. The following use cases give good examples of the scope:

  • Static workstation A desktop computer with more than one display connected, the desktop typically spans both screens to give more screen real estate.
  • Docking station A laptop computer that is hooked up to a docking station with additional displays connected. This is a more interesting case, since different configurations may be picked depending on whether the laptop’s lid is closed or not, and how the user switches between displays.
  • Projector The computer is connected to a projector or TV.

The idea is that the user plugs in or starts up with that configuration, if the user has already configured this hardware combination, this setup is restored. Otherwise, a reasonable guess is done to put the user to a good starting point to fine-tune the setup.

This is the job of KScreen. At a technical level, kscreen consists of three parts:

  • system settings module This can be reached through system settings
  • kscreen daemon Run in a background process, this component saves, restores and creates initial screen configurations.
  • libkscreen This is the library providing the screen setup reading and writing API. It has backends for X11, Wayland, and others that allow to talk to the exact same programming interface, independent of the display server in use.

At an architectural level, this is a sound design: the roles are clearly separated, the low-level bits are suitably abstracted to allow re-use of code, the API presents what matters to the user, implementation details are hidden. Most importantly, aside from a few bugs, it works as expected, and in principle, there’s no reason why it shouldn’t.

So much for the theory. In reality, we’re dealing with a huge amount of complexity. There are hardware events such as suspending, waking up with different configurations, the laptop’s lid may be closed or opened (and when that’s done, we don’t even get an event that it closed, displays come and go, depending on their connection, the same piece of hardware might support completely different resolutions, hardware comes with broken EDID information, display connectors come and go, so do display controllers (crtcs); and on top of all that: the only way we get to know what actually works in reality for the user is the “throw stuff against the wall and observe what sticks” tactic.

This is the fabric of nightmares. Since I prefer to not sleep, but hack at night, I seemed to


openSUSE Tumbleweed had another abundant week of snapshots.

Four Tumbleweed snapshots were released since the last article and the snapshot of the week, 20160816, brought users a new version of gtk3 (3.20.8). Updated in the repositories for this snapshot was an updated version of yast2-auth-client (3.3.10). Cairo graphics fixed several bugs and Apache2 removed the omc xml config because the change log states it is “useless nowdays.”

Snapshot 20160817 has several updates for the scalable storage platform ceph, which added an ability to reduce the constraints on resources required to build ceph and ceph-test packages. Git updated to version 2.9.3 and glib2 had several subpackages updated as did gnome-desktop. This snapshot caused quite a bit of chatter on the openSUSE Factory mailing list and serves as a reminder for people using openSUSE Tumbleweed to subscribed to the mailing list so they are aware of the updates.

The most appealing update in snapshot 20160818 was the added subpackages to libreoffice. Other noteworthy updates in the repositories for this snapshot were grub2, libstorage and kernel-firmware version 20160804. Updates in the repositories specific to openSUSE in this snapshot were made to snapper, wicked and yast2.

The Linux Kernel was updated to version 4.7.1 in the 20160820 snapshot along with F Virtual Window Manager2.

KDE applications 16.08.0 and glibc 2.24 are expected to come in a snapshot soon.

Kernel 4.7.2 recently entered a staged testing phase and will hopefully make it into a snapshot by next week. Hopefully it will come sooner, but since it just reached the testing phase, at this point, it is hard to tell how quickly it will arrive in a snapshot.


The submission deadline for Beta 1 for openSUSE Leap 42.2 is tomorrow. Tasks associated with the release of Leap were recently added to https://progress.opensuse.org and an e-mail will soon be sent to people who have expressed their desire help with the release of the distribution.

Anyone who wants to help translate the release of openSUSE Leap 42.2 can email opensuse-translation(at)opensuse.org or sign up for an account and begin translating at https://l10n.opensuse.org.

Anyone who want to help with the release team should contact opensuse-factory(at)opensuse.org and community members are always encouraged to help with the newest release.

19 August, 2016


Dear Tumbleweed users and hackers,

Week 33 brought us again 5 snapshots (0812, 0813, 0815, 0816 and 0817). There were some smaller and bigger updates, as usual.

The noteworthy updates were

  • Mozilla Firefox 48.0
  • KDE Plasma 5.7.3
  • Mozilla NSS 5.24 – Most SSLv2 code disappeared
  • Linux Kernel – some security fixes
  • PAM Config 0.91 – this time without the regression of ‘last time’

And a couple more things are being prepared in staging areads

  • Linux kernel 4.7.1
  • KDE Applications 16.08.0
  • glibc 2.24 – one more package needs to be fixed (openmpi)

Most of those things are likely to reach you during next week.

18 August, 2016


As already mentioned in our previous blog post, with Leap 42.2 in Alpha phase and SLE12-SP2 in Beta phase, the YaST Team is concentrating the firepower in fixing bugs in the installer. We fixed more than 40 bugs in three weeks! The dark side is that most bug fixes are not juicy enough for writing a blog post… but there is always some interesting stuff to report.

Integration of installer self-update with SCC and SMT

The installer self-update feature integrates now with SUSE Customer Center (SCC) and Subscription Management Tool (SMT) servers. Until now, there were three different mechanisms to get the URL of the installer updates repository:

  • User defined (using the `SelfUpdate` boot option).
  • Using an AutoYaST profile.
  • The default one, specified in the `control.xml` which is shipped in the media.

Now YaST2 is able to ask for the repository URL to SCC/SMT servers. The details of how the URL is determined are documented in the repository.

Fixes and enhanced usability in dialogs with timeout

As you may know, it’s possible to install (open)SUSE in an automatic, even completely unattended, basis using AutoYaST. AutoYaST can be configured to display custom configuration dialogs to the user and wait for the reply a certain amount of time before automatically selecting the default options. Until now, the only way for the user to stop that countdown was to start editing some of the fields in the dialog.

We got a bug report because that functionality was not working exactly as expected in some cases so, in addition to fixing the problem, we decided to revamp the user interface a little bit to improve usability. Now there are more user interactions that are taken into account to stop the counter, specially we added a new “stop” button displaying the remaining seconds. You can see an example of the result below.

New layout for dialogs with timeout

Following, as usual, the Boy Scout Rule we also took the opportunity to add automated tests to make that part of YaST more robust for the future.

Automatically integrating add-on repositories during installation

Sometimes you want to extend the regular installation media by adding just a few extra packages or provide a number of fixed packages along with the media.

For this purpose, the installer can automatically register an add-on repository. All you have to do is to put the repository on the installation medium and to add a file /add_on_products.xml that points to this repository.

The file looks like this:

<?xml version="1.0"?>
<add_on_products xmlns="http://www.suse.com/1.0/yast2ns"
    <product_items config:type="list">
            <name>My Add-on</name>
            <priority config:type="integer">70</priority>
            <ask_user config:type="boolean">false</ask_user>
            <selected config:type="boolean">true</selected>
            <check_name config:type="boolean">false</check_name>

You can define the following elements:

  • <name> is the name of your repository
  • <url> points the the repository location; you’ll likely

17 August, 2016

This Saturday I'll talk at FrOSConabout the future of private clouds and how Nextcloud is pushing that.

Frank won't make it, sadly, as he's in Denmark speaking at another event. Or somewhere else, his travel is a bit crazy lately ;-)

Future of private clouds

Frank blogged last week about a vision for Nextcloud and we've been thinking and discussing this at our hackweek with about 30 community members as well. It was quite amazing to bring so many people together and discuss these things!

Afterwards we've brought most of the topics to our forums or github, including our ambitious Nextcloud 11 roadmap. I'll certainly talk about some of those things this weekend at FrOSCon:
  • Communication integration
  • New app store
  • New updater
  • Federation
And more. Today or tomorrow we'll release a RC of Nextcloud 10 and I'll discuss what we've done there as well, what is new and improved, small and big.

If you like to get involved in the 'future', join us at our conference!


Screen Shot 2015-09-10 at 15.46.06 copySnapshot 20160808 brought openSUSE Tumbleweed users Plasma 5.72 shortly after last week’s article was published, but it didn’t last long.

This week Tumbleweed appears to have a strong wind making it roll remarkably fast as openSUSE’s popular rolling release had six snapshots since the last update was published.

The latest snapshot, 20160815, was fairly small updating gstreamer-plugins-bad, libgusb and opus codecs.

Snapshot 20160813 updated repositories for systemd and kernel-source were updated to enable missing BayTrail and LynxPoint drivers. Yast2-firstboot was updated in this snapshot as well as a snapshot the day before. The multipath-tools package had the most fixes and cleanup in the 20160813 snapshot.

Some users might already be using the latest version of Mozilla Firefox after the 20160812 snapshot, which updated Firefox to version 48. Plasma 5.72 had a very short life in Tumbleweed as version 5.7.3 rolled over the previous version that arrived just four days earlier. Other notable updates in the snapshot were qemu, NetworkManager-openvpn and gfxboot.

Snapshot 20160811 had only two packages update in Tumbleweed, but there were a significant amount of patches and cleanup for grub2.

Updates for gnome-photos to 3.20.3, wine to 1.9.16, and xen to 4.7.0_10 were just a few of the many updates that made it into snapshot 20160810. Libnfs and libvirt  were updated in the snapshot. Python3-setuptools updated to 25.1.6 and a few updates for YaST virtual machine and network were also in the snapshot.


New packages in openSUSE Factory will automatically be submitted for the next release of Leap until Beta 2. Beta 2 is the freeze to get packages into the release of openSUSE Leap 42.2.

For those who want to get packages in the Beta 1, the submission deadline is August 25. The Release of Leap’s Beta 1 is expected to be released for testing on August 31. Testers are encouraged to test the latest development versions of Leap, which can be found at software.opensuse.org.

16 August, 2016

I was searching for a language to write the phone GUI with... python3+gtk3 is way too slow; 9 seconds for trivial application is a bit too much (on N900). python2+gtk2 is a lot better at 2 seconds. Lua should be even faster.

But while searching for good language, Vala caught my mind. Designed to be integrated with gtk/dbus, compiled language. I was woried about error messages and errors from vala->c->binary compilation, but seems good so far.

Oh and it seems that emacs org mode is right thing to use for calendar. It looks like a bit too complex at first, but it seems the complexity is well justified... and I was doing similar things manually. Still have to search for a component to notify using popup / audio when an event is upcoming.

14 August, 2016

Jigish Gohil: Live USB improvements

05:33 UTCmember


Tools to create multi distribution bootable USB stick got couple of new improvements and features.

live-usb-gui now offers choice of scripts to use, depending in your need you can either use live-fat-stick with vfat partitioned stick or live-grub-stick script which works with any partition format supported by grub2 including vfat, must be used if you have iso bigger than 4G.

live-grub-stick can now create bootable USB from openSUSE installation media isos (standard DVD or NET), difference from --isohybrid option is that the data already on the stick is not touched, the whole iso is available on the stick so you can use the stick to copy it around apart from being able to install from it.

Two new options --suse-persistent(for openSUSE live ISOs) and --ubuntu-persistent(for Ubuntu and clones) are now available, using these options allows live sessions to be persistent over multiple boots, even when used on vfat partition. Again the way it is used does not need change in partition format of the stick, existing data on the stick remains untouched.

Feel free to fork https://github.com/cyberorg/live-fat-stick if you want some more enhancements.

13 August, 2016


My traffic shaping has really worked out using pfsense to lower my buffer bloat and get better network performance.

I built my own pfsense from a Dell OptiPlex 990 SFF PC with an Intel Core i5-2400 3.1GHz. I have installed an Intel PRO/1000 VT Quad Port Server Adapter LP PCI-E for more networks and vlans on my network. Traffic shaping was a breeze with pfsense. I of course run pfsense virtualized as the OS itself doesn't work on the hardware physically. BSD seems to have a limited hardware support than Linux these days. It was really the fact that BSD kernel didn't have the right support for this chip and kept hard locking with a kernel error that made no sense. So I have installed SUSE Linux Enterprise Server 12 SP1 as the HOST OS which is humming along with no kernel errors and pfsense is running as a KVM virtual machine. I have bridged all the network interfaces for the virtual machine and it works great. Its been running for 3 months now with no troubles.

Now to try out Sophos UTM. Looks like a fun alternative to pfsense and its Linux based. :-)

12 August, 2016

Python developers record their dependencies on other Python packages in requirements.txt and test-requirements.txt. But some packages havedependencies outside of python and we should document thesedependencies as well so that operators, developers, and CI systems
know what needs to be available for their programs.

Bindep is a solution to this, it allows a repo to document binarydependencies in a single file. It even enablies specification of which distribution the package belongs to - Debian, Fedora, Gentoo, openSUSE, RHEL, SLES and Ubuntu have different package names - and allows profiles, like a test profile.

Bindep is one of the tools the OpenStack Infrastructure team has written and maintains. It is in use by already over 130 repositories.

For better bindep adoption, in the just released bindep 2.1.0 we have changed the name of the default file used by bindep from other-requirements.txt to bindep.txt and have pushed changes to master branches of repositories for this.

Projects are encouraged to create their own bindep files. Besides documenting what is required, it also gives a speedup in running tests since you install only what you need and not all packages that some other project might need and are installed  by default. Each test system comes with a basic installation and then we either add the repo defined package list or the large default list.

In the OpenStack CI infrastructure, we use the "test" profile for installation of packages. This allows projects to document their run time dependencies - the default packages - and the additional packages needed for testing.

Be aware that bindep is not used by devstack based tests, those have their own way to document dependencies.

A side effect is that your tests run faster, since they have less packages to install. A Ubuntu Xenial test node installs 140 packages and that can take between 2 and 5 minutes. With a smaller bindep file, this can change.

Let's look at the log file for a normal installation with using the default dependencies:
2 upgraded, 139 newly installed, 0 to remove and 41 not upgraded
Need to get 148 MB of archives.
After this operation, 665 MB of additional disk space will be used.

Compare this with the openstack-manuals repostiry that uses bindep - this example was 20 seconds and not minutes:
0 upgraded, 17 newly installed, 0 to remove and 43 not upgraded.
Need to get 35.8 MB of archives.
After this operation, 128 MB of additional disk space will be used.

If you want to learn more about bindep, read the Infra Manual on package requirements 
If you have questions about bindep, feel free to ask the Infra team on #openstack-infra.
Thanks to Anita for reviewing and improving this blog post and to the OpenStack Infra team that maintains bindep, especially to Jeremy Stanley and Robert Collins.

Disclaimer: I am not an expert. This post is my opinion, take it with a teaspoon of salt. I am still learning (a student if you will), don’t rely on my opinions to keep your privacy in tact.

I was browsing around the interwebs last night and came across a post that I felt provided some strange and bad advice for privacy conscious users. It seems to mislead readers into thinking simply the use of these tools will allow you to hide your identity when this is really not the case. The post in question can be found here. There are many posts on the Internet that provide the same or similar advice so this really is not an attack against the author, I am sure they meant well, I just want to highlight the issues that the article has.

To be honest, there is no silver bullet solution to ensuring privacy/anonymity in the Internet, particularly if you are trying to hide from an all powerful adversary. Many tools, even the ones that have good encryption leak metadata that can be used to fingerprint users. So the truth is you need to learn to compartmentalize (separate your identities) yourself if you really want to hide, using hipster services that have never been audited, or running them yourself is a terrible idea unless you really really know what you are doing (protip: you don't).

I have made a list below that covers all the issues I have with this article, hopefully it provides some useful insight:

  1. The article starts off with this:
Your selfies or any other stuff you have on your device or what ever sites you visit are nobody’s concern but yours, so here is my list of over 30 things to help keep your devices and communications private.
But why is privacy important if I am not doing anything wrong?
Well I am not saying that you would, but… if you did a search for spoty dick cream, do you really want 2000 companies around the globe tracking that information? Privacy is a human right and if you close your curtains at night, its because you really do expect some level of privacy.

The author implies that using certain tools will make you “go dark” on the Internet when this just isn't true (I will discuss this more in detail further down). Since it is not clear who we are trying to hide from (Google? Facebook? Your ISP?) it is difficult to know for sure how much effort we should put into trying to stay hidden.

2. VPNs

So lets get started by closing the curtains and using a VPN. This wont make you anonymous but will help keep you private. Importantly it should have a no logging policy and is based outside the US, support OpenVPN, use encryption as well as accept Bitcoin. Here are only four that I found that fit the criteria:

Here’s the thing with this suggestion, If


Dear Tumbleweed users and hackers,

First, apologies for skipping last weeks review. There was only one single snapshot (0730) released in this time. This snapshot alone would have given enough reason for a post though. But let me catch up on that, including the snapshots of this week (0803, 0805, 0806, 0808, 0810 and 0811).

Last week, there was only one snapshot as we were fighting issues with two systems which are crucial to openSUSE Tumbleweed: openSUSE Build Service and openQA. Both had some unrelated failures and both teams managing them were more than helpful in getting to the bottom of the issues – Thank you guys!

Now, with so many snapshots to report on, what did we get?

  • Linux Kernel 4.7.0 (0730). As usual, 3rd party drivers have proven to be a source for frustration
  • libinput 1.4.0 (the version is ‘done’ as per upstream’s blog. To be read with a grain of salt)
  • GIMP 2.8.18
  • GNOME Maps 3.20.2 – As MapQuest changed their ToS, a new tile provided needed to be added
  • LXDM was dropped: users are migrated to lightdm
  • Plasma 5.7.2

Quite a list – and I did not mention all packages, as usual. You can find more details in the various changelog files / snapshot announcement mails.

So, with so many things provided: are we done? Of course not: Tumbleweed is rolling – and nothing is taking it the wind out of the sails. Things queued up to reach you soon are:

  • Plasma 5.7.3
  • Mozilla Firefox 48.0
  • glibc 2.24

Thanks to all the contributors keeping this distribution rolling.





We are happy to announce that Ramadoni Ashudi design from Indonesia is selected as official logo for openSUSE.Asia Summit 2016 in Yogyakarta, Indonesia. As the winner Ramadoni Ashudi will receive a “magic box” from the committee.
Ramadoni Ashudi submit two designs and his design-2 selected by 28 voters. His design depicts his version of Tugu Yogyakarta, a monument built by Sultan Hamengkubuwono I, the first King of Yogyakarta in 1755.
Ana Maria Martinez from Spain also submit her version of Tugu Yogyakarta and selected by 17 voters on the 2nd place.
On the 3rd place, Shawhong Ser from Thailand submit a design that showing Arjuna character from Wayang Kulit, a traditional Javanese shadow puppet. Arjuna is the 3rd Pandava Brothers from Mahabharata. It is selected by 9 voters.

Total of voters = 65
Ramadoni Ashudi-2 = 28
Ana Maria Martinez = 17
Shawhong Ser =  9
Aris Winardi =  4
Ramadoni Ashudi-1 =  4
Kukuh Syafaat =  3
Danang Aji Bimantoro-1 =  0
Danang Aji Bimantoro-2 =  0

The complete result can be seen on the contest web page

Congratulation to Ramadoni, and many thanks and appreciation to Ana, Aris, Danang, Kukuh, Shawhong  for your participation in this contest.

Have fun.

11 August, 2016


With any software package, you will need additional packages to run it. Often, there's a tight coupling: The software package will only run with specific other package versions. This dependency information is sometimes found in README files, in code, or in package metadata. If you install the package, you need to figure out the dependency and
handle it properly.

The Python package installer pip uses a list of requirements to install dependent Python packages. This list not only contains the name of packages but also limits which versions to use, or not to use.
In OpenStack we handle these dependencies in a global requirements list and use it for most of the repositories. During initial testing a specific package version is tested but at a later point, another one might be used, or during deployment again another one.

To document what was tested, give guidenance for deployment, and help to figure out breakage by upstream projects, the OpenStack requirements projects maintains a set of constraints with packages pinned to specific package versions that are known to be working.
These are in the upper-constraints.txt file.

Devstack already handles upper-constraints.txt when installing packages and I'm happy to say that tox, the Python testing framework used in OpenStack, can now handle upper-constraints as well everywhere.

Constraints for tox based jobs

To use constraints, change in tox.ini the install command to:

install_command = pip install -c{env:UPPER_CONSTRAINTS_FILE:https://git.openstack.org/cgit/openstack/requirements/plain/upper-constraints.txt} {opts} {packages}


Note that constraints are used for the installation of each packages, so if you want to install a package from source and have constraints for a specific version in the constraints file, it will not work. This happens with some of  the OpenStack python client packages: When they install their dependencies, those might
have a dependency on the client package itself. And this then will cause an error since the client package should get installed from source.

So, projects need to remove the constraints file for themselves if they run into this. Packages like python-novaclient and python-glanceclient therefore use a wrapper (tools/tox_install.sh) as
install command to edit the constraints file first and remove their own project from it.

Also, be aware that this only for those jobs that have been enabled for it in the project-config repository. It's done for all the generic tox enabled targets and should be done for all custom tox targets as well. Some repositories are not using constraints like project-config
itself, so those jobs are not set up.

Constraints for DevStack jobs

Devstack-gate takes care using constraints, there is nothing for a repository to do to honor constraints.

Check the devstacklog.txt file, if constraints are in use it will use lines like:

Collecting oslo.context===2.7.0 (from -c /opt/stack/new/requirements/upper-constraints.txt (line 204))


To learn more about constraints read the requirements documents. There is also a spec that explains all the steps that where

10 August, 2016


Tumbleweed-black-greenSince the release of Linux Kernel 4.7 in the 20160730 snapshot, which brought lengthy email discussions about out-of-tree and third-party drivers on the Factory mailing list, openSUSE Tumbleweed produced three snapshots.

Snapshot 20160803 made a small update to the repositories for Mozilla Thunderbird and k3b. The snapshot updated libzypp to version 16.2.1, gnome-online-accounts to 3.20.3 and obs-service-source_validator. In 20160803, virt-viewer had the most changes.

Snapshot 20160805 brought more package changes and one major uninstall. LXDM was dropped from openSUSE Tumbleweed and uninstalled in this snapshot. LightDM is being used in the environment instead and is auto-installed with a change configuration for those who are using LXDM. This snapshot provided several repository updates, and NetworkManager-gnome, Libreoffice and WireShark 2.0.5 were a few of the many changes found is 20160805.

The most recent snapshot, 20160806, updated Inkscape, which provides more extensions. Wayland-protocols updated to a new upstream release of 1.5 and btrfsprogs has new options to run in the background with version 4.7.

Tumbleweed users will likely get Plasma 5.72 in the next snapshot, which should be released soon.

openSUSE Leap

In two weeks is the submission deadline to get packages in the next version of openSUSE Leap 42.2. The Beta 1 is scheduled for release at the end of this month, according to the roadmap.

The current development version, Alpha 3, needs more people to test the version and file bugs. Download Alpha 3 and test it out at software.opensuse.org.

09 August, 2016


openSUSE.Asia Summit is a 2 day event hosted every year in different regions of Asia to promote openSUSE and open source.  Hosting a variety of  workshops, talks and a hackathon, openSUSE Asia summit is expecting over 400 participants. Attendees will learn how to use openSUSE and incorporate it in their personal as well as professional lives. They will also understand the dynamics of the openSUSE project and meet the openSUSE contributors and board.

In addition, we have chance to learn free and open technologies, to share experiences with each other, and most of all, have fun at the Summit, and, in beautiful tropical scene of Yogyakarta region (a travel guide for you coming soon). In previous years openSUSE.Asia Summit has been held in Beijing, China in 2014 and National Taipei University of Education,Taipei / Taiwan, Republic Of China 2015.

Full schedule can be found at  https://events.opensuse.org/conference/summitasia16/

Dates 1st & 2nd October, 2016
Address: Convention Hall UIN Sunan Kalijaga, Yogyakarta
Jl. Laksda Adisucipto Yogyakarta 55281
IDR 50K – for students
IDR 100K – for professionals


  • Goodie bag
  • T-Shirt
  • Merchandise
  • Certificate
  • Lunch and Snack

How to pay for the ticket

Account holder’s name: Yan Arief Purwanto
Bank Central Asia (SWIFT Code: CENAIDJA)
Account number: 445 088 9143

Please send the confirmation email along with the ticket and transfer receipt in the attachment to:

08 August, 2016

Uzair Shamim: What is PAM?

01:26 UTC


The last post I did was the start of the Comprehensive Guide To AppArmor which took a look at the basics an administrator or developer needs to know to start creating and deploying AppArmor profiles for a program. In the post I also left a question for the reader regarding AppArmor being used to replace the traditional DAC permissions (but never should!) and how you could use it to remove access to a file from a specific user (rather than a program). However this requires usage of the pam_apparmor module for PAM and due to this, before going into depth with using pam_apparmor, you should make sure you have a grasp of the basics of PAM and its configuration files.

Seriously What Is PAM?

PAM stands for Pluggable Authentication Modules and is used to perform various types of tasks involving authenticaction, authorization and some modification (for example password change). It allows the system administrator to separate the details of authentication tasks from the applications themselves. This allows the policy to not only be generic, it means that the programs do not need to be modified in order to update the policy! An example of PAM usage is controlling login attempts to a shell/GUI interface so that only successful authentication and authorized events are allowed. You could also use PAM to control who can use the su binary to switch identities or control who can use the passwd utility to change passwords.


When a developer wishes to interact with PAM to let it handle events, they must include libpam which allows communication via the API provided by the library. When PAM sees a new event that it must process, it will look at the relevant configuration files found in /etc/pam.d and determine which modules must be used at certain stages.

Source: http://www.tuxradar.com/content/how-pam-works

PAM is capable of using context to determine what it needs to do, for example the pam_unix.so module has capabilities for the auth and account stack. In the auth stack it checks a username and password combo while in the account stack it will check a users aging and expiration info. This versatility is one of the reasons PAM has been so popular in the UNIX world, it allows for solutions that can be combined to create a generic library to deal with certain type of request.

How Do I Tell A Program Supports PAM?

This is usually pretty easy, you can use ldd to check if libpam is in use:

comp:/home # ldd /usr/sbin/sshd | grep pam
libpam.so.0 => /lib64/libpam.so.0 (0x02209ddace0105400)
comp:/home # ldd /bin/su | grep pam
libpam.so.0 => /lib64/libpam.so.0 (0x02999ddace0105400)
libpam_misc.so.0 => /lib64/libpam_misc.so.0 (0x12211ddace1105400)


As I already mentioned, PAM configuration files are stored in /etc/pam.d for all valid programs. A line in a configuration file will look something like this:

auth sufficient pam_rootok.so

There are three parts to this

05 August, 2016

Michael Meeks: 2016-08-05 Friday.

21:00 UTCmember

  • Up early, bid 'bye to J. and the larger babes - let the smaller ones get going on Lego Mindstorms EV3 to have a first play with it clear of larger person interest.

Openstreetmap has a problem... and a rather fundamental one. Saving all data in WGS-84 is nice and simple... but continents actually move. And that's why different countries use different coordinate systems. Australia moves a lot... cnet.com/.../australia-has-moved-1-5m Good thing is that we could map ships with that support. I guess there are other fundamental issues: world is 3D, and that is actually problem for multi-floor buildings. Plus, attributes for attributes would be useful. As in source:surface=survey...


So I configured scroll-lock & pause to select volume up/down. Works well so far. I also remapped workplace switching to F1-F12 (without alt). Works well so far, as I switch workplaces a lot, and nothing really uses F1-F10.

Ouch, and for czech readers... UCW keyboard lives. Mate (== gnome2), in layouts add Czech Czech (UCW layout...), a v optionech "switching to another layout" capslock (while pressed)".

04 August, 2016

Michael Meeks: 2016-08-04 Thursday.

21:00 UTCmember

  • Up early; mail chew, calls, lunch. ESC call. James & Kate over in the late afternoon; lovely to see them, Julie over for tea too.

03 August, 2016

Michael Meeks: 2016-08-03 Wednesday.

21:00 UTCmember

  • Up v. early, worked on under the hood descriptions too little, too late really. Lunch; caught up with Adam & James a bit in the garden; contract work in the car home.


Today we release LibreOffice 5.2.0, the next step in our journey, and what will become the base of the increasingly stable 5.2.x series. There is a fine suite of new features for people to enjoy - you can read and enjoy all the great news about the user visible features from many great hackers, but there are, as always, many contributors whose work is primarily behind the scenes, and a lot of work that is more technical than user-facing.

Some moons ago, the ESC decided to add some under-the-hood wiki pages so that people could add their own credits: I encourage you to read those here: 5.1 and 5.2. There are lots of good things there, and it saves me reading and summarizing ~10k commits each release, but then again - that can be fun too. This is my very quick attempt to make up for a year of inactivity on this front, and pluck a few of the un-mentioned bits out of 17,734 commits (that is an average of ~50 commits every day of the year) from liboffice-5-0-branch-point to libreoffice-5-2-branch-point:

Developer Central

A great initiative of Norbert Thiebaud has been to collect together most of the infrastructure and entry points that we have at TDF, and build an attractive list of these to help those new to the project find and use our tools and services. Checkout http://devcentral.libreoffice.org/:

New central site to list developer infrastructure

Replacing Vigra with Cairo

LibreOffice has been able to run in a headless mode, doing its own pixel-bashing for a long time, and this is used intensively by both LibreOffice Online and also the Linux / gtk3 port. It has been a neverending source of amazement to myself and others that the (unreadable) template code using Vigra produces rather poorly performing code for all manner of cases - and needs special case optimization in the client code. One of the great joys of LibreOffice 5.2 is the final replacement of vigra, and the removal of the basebmp directory which allows us to use native (and assembler accelerated on eg. ARM) cairo for pixel bashing. While basebmp has served well and accelerated rendering for years, cairo also gives us accelerated anti-aliased line rendering and more. Thanks to Caolán McNamara (RedHat) for that.

Hardware Acceleration improvements

There were a large number of OpenGL and OpenCL improvements in this time period.

  • OpenGL got a much simplified rendering model - whereby we render everything to a double buffered back-buffer texture, and blit that to the screen at idle after re-paints are requested. This follows similar work for Mac and now gtk3. This combined with some dynamic adjustment of rendering priorities gives smooth re-painting and sizing without visible re-drawing. This work also significantly simplified GL context lifecycle and management.
  • OpenGL and CL crash protection - due to a large number of driver quality issues - we implemented a guard-zone that we enter and exit before doing any GL or CL call - such that our crash handler can detect a crash related

Klaas Freitag: ownCloud is hiring!

15:18 UTCmember


Come join us!

Come join us!

After the recent news, we are now back on stage and with this blog we want to point you to our open positions. Yes, we are hiring people to work on ownCloud. ownCloud is an open source project, yes, but ownCloud GmbH, the company behind the project, provides significant people’s power to expand the project to serve the needs for both the community and ownCloud GmbH’s customers. So if you ever dreamed of getting paid for work on open source, read on.

What we do – what you will work on

The call is for people who understand the vision of bringing the idea ownCloud to an enterprise ready level: ownCloud is not only running on individual open source enthusiasts hardware, but also on sites with huge amounts of data like CERN or the Sciebo project, and at large companies who want to work with their data in a secure way.

To provide the best solution for all of them we are looking for:

A System Administrator

In this role, you make sure that the infrastructure that we use in ownCloud is up and running. That involves troubleshooting and streamlining existing infrastructure, but also designing new services. If you love virtualization of all kinds and have an eye for security, this position is for you. Of course all this does not only happen behind closed doors, but you will be in contact with the open source community around ownCloud.

The Application Security Engineer

For security professionals who would like to take on a high profile open source project. As security is one of the core values of ownCloud, we are looking for somebody who constantly monitors the code flowing in for security problems, is able to find glitches in existing code and handle the bug bounty program. That and more is the task of this high profile position.

A Software Engineer PHP

For engineers with a passion for good software design and a love for writing code without being code monkeys: In this role you iron the server part of our platform, build new features, work on fixing bugs with the support colleagues and bother the architect with new ideas how to make the thing even better. For this you need to urge to get down and dirty with code, feel yourself comfortable in a team of high profile developers who can teach you things and learn from you.

PHP or what?

Yes, ownCloud is written in PHP, and PHP is the most important, but by far not the only language that we use for the ownCloud platform.

Before you turn your back because of PHP, please think twice. There are a lot of good reasons why we are going with PHP, some of them are named in this blog, but there is more: For example PHP7: With PHP 7 (which can be used with ownCloud) the language has caught up with many criticism it faced before and has done a big leap.

And anyway, the

02 August, 2016

Ok, so they are 4 keys on my keyboard I know absolutely no use of: "wakeup" key -- when any key wakes machine up, "power" key, which just duplicates "sleep" key, "scroll lock" and "pause". The first two are slightly non-standard, but surely there should be some use for scroll lock and pause in X (those are present even on notebook)? But it seems there is none. Scroll lock LED is also unused. Ideas?

Ok, this is scary: tor browser on https://browserprint.info/test -- "Your browser fingerprint appears to be unique among the 8,440 tested so far. Currently, we estimate that your browser has a fingerprint that conveys 13.04 bits of identifying information."

Michael Meeks: 2016-08-02 Tuesday.

21:00 UTCmember

  • Mgmt call; plugged away at building stats, and details on under-the-hood changes from 5.0 to 5.2 for much of the day. Chat with Philippe.

01 August, 2016

Michael Meeks: 2016-08-01 Monday.

21:00 UTCmember

  • Up early, customer call; chat with Kendy & Tor, set off for Horsenden; arrived for a team call, and lunch.


Last week we wrote about the new GUI of Machinery, which integrates all views in one consistent navigation scheme. How did we get there? This post gives some insight into the design process we went through to create the new interface.


Before, Machinery provided three different GUIs, accessed through the browser, each initiated by its own command: one for listing all available descriptions, one for viewing a single description and one for comparing two different descriptions. There was no easy navigation between these views. To give the user a way to navigate through all descriptions while showing their details or comparing different descriptions without having to leave the graphical interface we decided to create an integrated navigation concept.


A typical design process consists of several phases: identifying the problem to solve, creating ideas for solutions, converging on prototypes for the most promising solutions, testing the prototypes, and implementing the best solution.

We knew what problem we had to solve so we went for a brainstorming session to create as many ideas as possible for how to do a consistent navigation between system descriptions and their comparisons. Our whole team had a meeting together with one designer for additional expertise. We split up in four groups spreading across the same number of rooms and created different mock ups, like these examples:


Drop down:

Burger Menu:

Each group presented their suggestions and described their thoughts and ideas behind each of their respective drafts. The whole session took not more than an hour and it was a lot of fun.

After some debate two possible solutions emerged and we decided to create prototypes of both the drop down and burger menu variants. We used the same technologies as we already had used for the implementation of the GUI, Bootstrap and HAML, for implementing the design decisions we have taken. Using these technologies as foundation made it easy to create the two prototypes quickly.

To get some data about how well the both variants worked we conducted usability tests with both. This resulted in the drop down variant being better received and understood than the other candidate.


After the decision based on the usability test results the chosen prototype was polished. This first iteration was discussed and refactored and this process was repeated a second time until the final result was released.

One of the main features of the new interface is that the navigation stays the same on all different views so the user is able to switch between those using the same and familiar way of navigation and is at any point aware what the current state is. Selecting a system description is done through a popup window, which is shown in a similar way for selecting a description to show its details and for selecting the descriptions to be compared.

Comparison view showing two system descriptions

Especially for the comparison view we thought about a way to integrate both the navigation and the name of the system


This is one of many ways to create a virtual machine. This way starts with a hard disk image.

wget -O /var/lib/libvirt/images/$NAME $IMG
virt-install --name $NAME \
--ram 2048 --graphics type=vnc \
--network bridge=br0 \
--import \
--disk bus=virtio,path=/var/lib/libvirt/images/$NAME

For IMG I used a SUSE-internal server with SLEnkins images.
The tricky part is knowing the right value for the --disk bus setting. At first I used the default but the machine wouldn't boot because it would see /dev/sda instead of /dev/vda it was expecting.

Older blog entries ->